<?php
namespace yan\csp;

class Fliter{
    use \yii\base\StaticInstanceTrait;
	public function doFliter($event){
		$response = $event->sender;
		$domian = $_SERVER['HTTP_HOST'];
        $domian = str_replace('www.', '', $domian);
        $response->headers->add('Content-Security-Policy', 
            \yan\csp\Helper::cspContent([
                  'default-src' => ['self', '*.'.$domian.'', '*.googletagmanager.com','*.google-analytics.com', '*.cloudflare.com'],
                  'style-src' => ['self', 'unsafe-inline', '*.'.$domian.'', '*.googletagmanager.com','*.google-analytics.com'],
                  'script-src' => ['self', 'unsafe-inline', '*.'.$domian.'', '*.googletagmanager.com','*.google-analytics.com','*.google.com', '*.googleadservices.com', '*.cloudflareinsights.com', 'googleads.g.doubleclick.net', '*.cloudflare.com'],
                  'connect-src' => ['self', 'unsafe-inline', 'unsafe-eval', 'data:', 'blob:', '*.'.$domian.'', '*.googletagmanager.com','*.google-analytics.com','*.google.com'],
                  'img-src' => ['self', 'unsafe-inline', 'unsafe-eval', 'data:', '*.'.$domian.'', '*.googletagmanager.com','*.google-analytics.com', 'googleads.g.doubleclick.net'],
                  'font-src' => ['self', 'unsafe-inline', 'unsafe-eval', 'data:', '*.'.$domian.'', '*.googletagmanager.com','*.google-analytics.com'],
            ])
        );
        $response->headers->add('X-Frame-Options', 'SAMEORIGIN');
        $response->headers->add('Referrer-Policy', "strict-origin-when-cross-origin");
        $response->headers->add('Permissions-Policy', "camera=(), geolocation=(), payment=self");
	}
}